---
layout: docs
page_title: GCP Cloud KMS - KMSs - Configuration
description: >-
  The GCP Cloud KMS configures Boundary to use GCP Cloud KMS for key management.
---

# `gcpckms` KMS

The GCP Cloud KMS configures Boundary to use GCP Cloud KMS for key management.

The GCP Cloud KMS seal is activated by the presence of a `seal "gcpckms"` block in Boundary's configuration file.

## `gcpckms` Example

This example shows configuring GCP Cloud KMS through the Boundary
configuration file by providing all the required values:

```hcl
kms "gcpckms" {
  purpose     = "root"
  credentials = "/usr/boundary/boundary-project-user-creds.json"
  project     = "boundary-project"
  region      = "global"
  key_ring    = "boundary-keyring"
  crypto_key  = "boundary-key"
}
```

## `gcpckms` Parameters

These parameters apply to the `kms` stanza in the Boundary configuration file:

- `purpose` - Purpose of this KMS, acceptable values are: `worker-auth`, `worker-auth-storage`,
   `root`, `previous-root`, `recovery`, or `config`.

- `credentials` `(string: <required>)`: The path to the credentials JSON file
  to use. May be also specified by the `GOOGLE_CREDENTIALS` or
  `GOOGLE_APPLICATION_CREDENTIALS` environment variable or set automatically if
  running under Google App Engine, Google Compute Engine or Google Kubernetes
  Engine.

- `project` `(string: <required>)`: The GCP project ID to use. May also be
  specified by the `GOOGLE_PROJECT` environment variable.

- `region` `(string: "us-east-1")`: The GCP region/location where the key ring
  lives. May also be specified by the `GOOGLE_REGION` environment variable.

- `key_ring` `(string: <required>)`: The GCP CKMS key ring to use. May also be specified
  by the `GCPCKMS_WRAPPER_KEY_RING` environment variable.

- `crypto_key` `(string: <required>)`: The GCP CKMS crypto key to use for
  encryption and decryption. May also be specified by the `GCPCKMS_WRAPPER_CRYPTO_KEY`
  environment variable.

## Authentication &amp; Permissions

Authentication-related values must be provided, either as environment
variables or as configuration parameters.

GCP authentication values:

- `GOOGLE_CREDENTIALS` or `GOOGLE_APPLICATION_CREDENTIALS`
- `GOOGLE_PROJECT`
- `GOOGLE_REGION`
